Login errors in V3 when using Kerberos authentication

Douglas E Engert deengert at gmail.com
Sat Aug 8 20:38:51 EDT 2015 


On 8/8/2015 3:10 PM, Keith Wessel wrote:
> On Sat, Aug 08, 2015 at 04:08:28PM +0000, Cantor, Scott wrote:
>> If you're using Java/JAAS to do Kerberos, it should be returning PREAUTH_FAILED, and that's already mapped appropriately. What is the implementation here that's different?
>

This might help:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html

javax.security.auth.login.LoginException: KrbException: Pre-authentication information was invalid (24) - Preauthentication failed


Also look at:
http://stackoverflow.com/questions/9738756/jaas-kerberos-login-exception-on-wrong-username-password


If you are seeing the error for some users, especially if the account name was changed of they have mixed case user names, it could be related to this:

https://bugs.openjdk.java.net/browse/JDK-6942448?page=com.atlassian.jira.plugin.system.issuetabpanels:changehistory-tabpanel

There are other possible issues, that could apply to only some users.
A Wireshark network trace would show the Kerberos packets, including the principal, domain and salt, e-types, and other info

Or this shows how to get the info from the java log:

http://stackoverflow.com/questions/21728619/how-to-integrate-windows-authentication-sso-in-my-custom-web-server-java-based


(Back in 2004, it was found that Java was making some wrong assumptions about the kerberos protocols, assuming it knew
what was the salt, but it should have asked the KDC first. The KDC would return error 24 rather then 25.)
These should have been fixed in Java 6.


> We are using JAAS with all the config items set apropriately from Tom's
> message, left as they were in the default distribution.
>
> The error that I included in my original note is the result of an
> Kerberos auth against AD. Do I only need to add that specific error
> string to the same list in password-authn-config.xml where I already see
> PRAUTH_FAILED (the entry with key "InvalidPassword")?
>
> Or should PREAUTH_FAILED already be working with AD Kerberos?
>
> Keith
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the users mailing list